Blog

The Myth of the Security-Smug Mac User

I still consider myself a relative newcomer to the Mac community. Despite being the Security Editor at TidBITS and an occasional contributor to Macworld (print and online), and having spoken at Macworld Expo a couple times, I only really switched to Macs back in 2005. To keep this in perspective, TidBITS has been published electronically since 1990.

Coming from the security world I had certain expectations of the Mac community. I thought they were naive and smug about security, and living in their own isolated world.

That couldn’t have been further from the truth.

Over the past 7 years, especially the past 5+ since I left Gartner and could start writing for Mac publications, I have learned that Mac users care about security every bit as much as Windows users. I haven’t met a single Mac pundit who ever dismissed Mac security issues or the potential for malware, or who thought their Mac ‘immune’. From Gruber, to Macworld, to TidBITS, and even The Macalope (a close personal friend when he isn’t busy shedding on my couch, drinking my beer out of the cat’s water bowl, or ripping up my drapes with his antlers) not one person I’ve met or worked with has expressed any of the “security smugness” attributed to them by articles like the following:

Worse yet, the vast majority of Mac users worry about security. When I first started getting out into the Mac community people didn’t say, “Well, we don’t need to worry about security.” They asked, “What do I need to worry about?” Typical Mac users from all walks of life knew they weren’t being exploited on a daily basis, but were generally worried that there might be something they were missing. Especially relatively recent converts who had spent years running Windows XP.

This is anecdotal, and I don’t have survey numbers to back it up, but I’ve been probably the most prominent writer on Mac security for the past 5 years, and talk to a ton of people in person and over email. Nearly universally Mac users are and have been, concerned about security and malware.

So where does this myth come from? I think it’s 3 sources:

An overly vocal minority who fill up the comments on blog posts and news articles. Yep – a big chunk of them are trolls and asshats. There are zealots like this for every technology, cause, and meme on the face of the planet. They don’t represent our community, no matter how many Apple stickers are on the backs of their cars and work-mandated Windows laptops.

One single advertisement where Apple made fun of the sick PC. One. Single. Singular. Unique. Apple only ever made that joke once, and it was in a single “I’m a Mac” spot. And it was 100% accurate at the time – there was no significant Mac malware then. But since then we have seen countless claims that Apple is ‘misleading’ users. Did Apple downplay security issues? Certainly… but nearly exclusively during a period when people weren’t being exploited. I’m not going to apologize for Apple’s security failings (especially their patching issues, which lad to the current Flashback issue), but those are very different than actively misleading users. Okay – one of the Securosis staff believe there may have been some print references from pre-2005, but we are still talking small numbers and nothing current.

Antivirus vendors. Here I need to tread cautiously here because I have many friends at these companies who do very good work. Top-tier researchers that are vital to our community. But they have a contingent, just like the Mac4EVER zealots, who think people are stupid or naive if they don’t use AV. These are the same people who want Apple to remove iOS security so they can run their AV products on your phones. Who took out full page advertisements against Microsoft when MS was going to lock down parts of the Windows kernel (breaking their products) for better security. Who issue report after report designed only to frighten you into using their products. Who have been claiming that this year really will be the the year of mobile malware (eventually they’ll be right, if we wait long enough).

Here’s the thing. The very worst quotes and articles attacking smug Mac users usually use a line similar to the following:

Mac users think they are immune because they don’t install antivirus.

Which is a logical fallacy of the highest order. These people promote AV as providing the same immunity they say Mac zealots claim for ‘unprotected’ Macs. They gloss over the limited effectiveness of AV products. How even the AV vendors didn’t have signatures for Flashfake until weeks after the infections started. How Windows users are constantly infected despite using AV, to the point where most enterprise security pros I work with see desktop antivirus as more a compliance tool and high-level filter than a reliable security control.

I’m not anti-AV. It plays a role, and some of the newer products (especially on the enterprise side) which rely less on signatures are showing better effectiveness (if you aren’t individually targeted). Plus most of those products include other security features, ranging from encryption to data loss prevention, that can be useful. I also recommend AV extensively for email and network filtering. Even on Macs, sometimes you need AV.

I am far more concerned about the false sense of immunity claimed by antivirus vendors than smug Mac users. Because the security-smug Mac user community is a myth, but the claims of the pro-AV community (mostly AV vendors) are very real, and backed by large marketing budgets.

Update: Andrew Jaquith nailed this issue a while ago over at SecurityWeek:

Note to readers: whenever you see or hear an author voicing contempt for customers by calling them arrogant, smug, complacent, oblivious, shiny-shiny obsessed members of a cabal, “living in a false paradise,” or “fanboys” (with or without the i-for-y substitution), take a whiff of the air nearby. You’ll sniff the sickly sweet smell of schadenfreude wafting in from the general vicinity of the speaker. The condescension doesn’t persuade customers to take security any more seriously, but it probably makes the speaker feel better, right?

Comments

Thu, April 12, 2012 9:36am

@Raymond Meyers

“Ergo, OS X is more secure than Windows.”

Your logic is faulty. Up until recently Macs have been safer (and may still be safer) because they have been attacked less. That doesn’t mean they are more secure. Rich quoted on CNET back in 2010 (http://news.cnet.com/8301-27080_3-10444561-245.html):

“But I want to give Microsoft credit because the more advanced features they put into their operating system are superior to what Apple has done. It’s really a balance because there’s little motivation for Apple to do more at this time. The Mac OS has got some holes in there that Microsoft has closed down. But since it’s attacked less there is less motivation for Apple to close the gap.”

Practically all the security experts quoted say something similar. Charlie Miller quoted in the same article:

“At some point the market share of Macs will reach a threshold to interest attackers, and then things will quickly turn bad for Mac users.”.

That time has come.

By Alan

Wed, April 11, 2012 6:18pm

I’m a Mac user with 25 years of experience. I can seem a little smug. Not a single one of my machines has ever been infected, and until just now, I’ve never really felt the need to worry about security. I’ve been lucky.

I have installed an AV program on my two Macs at home. Why? Because I think the old walnut about “security by obscurity” had a kernel of truth to it. And that measure of protection is fading. I don’t think the AV software makes me bulletproof, but I do think it gives me a bit of an edge over just trusting Apple. Also, phishing and Trojans are becoming more sophisticated.

In every scenario, the bad guys innovate first and the good guys have to play catch-up.

Over the last 25 years, Macs have been attacked by fewer pieces of malignant code than Windows. OS X has been attacked successfully far, far fewer times than Windows over the last 10 years. Ergo, OS X is more secure than Windows. It’s arithmetic, not opinion. That doesn’t justify stupidly ignoring inexpensive security measures any more than living in a gated neighborhood justifies leaving the keys in your Ferrari and all your doors unlocked.

By Raymond Meyers

Wed, April 11, 2012 6:04pm

The users are less an issue than Apple. Apple doesn’t discuss security issues. The relationship with poeople who work on security issues outside the company seems less than great. As a result a lot of what Apple writes about security is marketing. And the marketing is hip and rather smug and elitist. Which isn’t to say those things are bad. A lot of marketing is smug and elitist, and involves a lot of lifestyle fantasy etc., and their marketing has been succesful.

You list one source of blame at Apple:
“One single advertisement where Apple made fun of the sick PC. One. Single. Singular. Unique. Apple only ever made that joke once, and it was in a single “I’m a Mac” spot. And it was 100% accurate at the time – there was no significant Mac malware then. But since then we have seen countless claims that Apple is “misleading” users.”“

So are the following quotes accurate or misleading? These are taken from their website now; not something from 2006 or whenever that ad ran.

http://www.apple.com/why-mac/better-os/
“...unparalleled security…”
“It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.”
“Stay up to date, automatically. When a potential security threat arises, Apple responds quickly by providing software updates and security enhancements you can download automatically and install with a click. So you’re not tasked with tracking down updates yourself and installing all of them one by one.”

The “doesn’t get PC viruses” is disingenuous to say the least. A speaker at Blackhat last year said something like “doesn’t get get Mad Cow or HIV either”. So what? And is there anyone that works on security who believes that “Apple responds quickly”? Even just “in a timely manner” would be a stretch.

Text from a PDF on their website now and dated August 2011:
http://images.apple.com/education/docs/apple-10-reasons-macbook-in-education_20110826.pdf
“Security, stability, and simplicity at the core.
The OS X operating system provides innovations that make MacBook reliable, incredibly easy to use, and more secure. UNIX, the rock-solid platform upon which OS X is built, is tried and proven in the industry to be stable, secure, and free from PC viruses. Apple is the only technology provider that designs the hardware, the operating system, and many built-in applications, ensuring the highest level of stability right out of the box. And OS X delivers unmatched ease of use, keeping the focus on learning, not on the technology. No wonder OS X is described as the world’s most advanced operating system.”

“Security…at the core”. One of the refrains that’s common is that OS X is designed to be secure. It is secure by design or inherits a secure architecture from UNIX/BSD. This apparently explains why OS X is different (it’s a “better OS” and “more secure”) and doesn’t get viruses and doesn’t suffer from the security problems that plague Windows. (Apparently, Dave Culter never thought about security, SDL is a package delivery service, criminals don’t care about cost/opporunity, and there’s a secret mine of magic fairy dust in Cupertino.) And it’s so good it’s security “without any work on your part”! This is a technological fantasy, as dubious as any pitched by some scare-mongering anti-virus peddler. It may be good marketing but it’s lousy security.

By Alan

Wed, April 11, 2012 4:33pm

It was Twitter wasn’t it? Get ‘em!

“Antivirus firm Intego now reports that Flashback’s creators are using an interesting new tactic for communicating with machines infected by the trojan: Twitter. According to the report, Flashback is programmed to search Twitter for Tweets containing a unique 12-digit code that changes daily, with the malware’s authors being able to issue commands to infected computers by posting from any number of Twitter accounts simply by including the appropriate code as a hashtag.”

Since I’ve been hearing this “Mac users think they’re immune” from way before the first obvious example of serious troubles, I think that’s not schadenfreude — delight at others’ misfortunes— but rather envy or justification for “being smarter” about security but getting crappier outcomes.

There’s a point that needs to be made: when the “PC Viruses” ad ran, Windows users were at constant and severe risk from malware. (I haven’t heard anybody contradict my guess that XP was the vehicle for more malware than all other OS’s combined. One friend scrapped her PC after a fresh install still left her PC unusable, in control of bots.) But in their unique ways, all platforms have moved on from that tragic era, and either we’ve all learned how to cope, or viruses have been pretty much dealt with. Today’s attacks are more likely to be on communications or by social engineering, not virii. These need different protections.

In Apple’s case, we can expect MORE controls such as their allowing javascript only from sites that you explicitly visit. More controls on apps’ functionality & distribution and more emphasis on sandboxing. Seems virtually a given.

And more broadly, why is it that whatever ad network that let FlashBack into the wild, has gotten a free pass for total lack of quality control and knowing its customer? Everybody’s quick to blame Apple for its java policies, but the damage would’ve been just as severe if FlashBack had used a zero-day vulnerability that nobody could’ve stopped. A more comprehensive malware effort can’t just try to keep every hole patched and to cut off the money flow to the malware authors; it HAS to work on whose sloppy business practices abet the criminals in putting the gremlins into the wild, .

By Walt French

Wed, April 11, 2012 6:40am

“An overly vocal minority who fill up the comments on blog posts and news articles. Yep – a big chunk of them are trolls and asshats. There are zealots like this for every technology, cause, and meme on the face of the planet. They don’t represent our community, no matter how many Apple stickers are on the backs of their cars and work-mandated Windows laptops.”

For example, the journalists that write for AllThingsD?

“The conventional wisdom has often held that Macs are targeted by malware less often than Windows machines because of their relatively small market share. This still has some merit, but the fact is that Windows is also where the vulnerabilities are. Historically, Mac OS X has been substantially less vulnerable to this sort of thing than Windows.

Does that let Apple off the hook entirely? No, though to its credit, Apple had a fix ready within a week of learning of this vulnerability. That’s not exactly a pokey response, especially when the problem lies not directly within Apple’s software, but in Oracle’s.”
https://allthingsd.com/20120406/whats-this-a-mac-virus-no-actually-its-a-weakness-in-java/

By Alan

Tue, April 10, 2012 7:13pm

@jenapeoples

Demanding a better security response worked with Microsoft after the Blaster worm. They heard from their customers, improved the way they tested and released patches, and actually started an internal secure coding practice.

It worked because MS needed its user base, whereas Wall Street has no need to be occupied. Different scenarios entirely.

Obviously this has not made it a secure product, but it has improved things. I would hate to be combating the computery-villains[1] that we have now, with the 2000 version of Microsoft security.

The same could be done with Apple if they chose to apply a bit more security, but it would come at the expense of the ‘user experience.’ which is always the trade-off. Apple would rather not break things than to push patches at the same sped as their competitors. It’s a valid choice, but one that comes with the perception that security is not a (big) concern. That is what gives rise to this article.

I was not coming down on Apple’s decision, trying to explain the perception.

@Michael Murphy
Lucky you. I distinctly remember cleaning up more than a few a floppies that had boot sector virii. They came in a big binder of freeware disks that I got loaned when I picked up an Apple ][.

-Xristopher

[1] “Replace “cyber” with “computery.” It is entertaining and approximates how “cyber” sounds to experts.”—@ScottStender

By Xristopher

Tue, April 10, 2012 3:24pm

I dig this article. Always consider the source peeps! I like how you’re pointing out that people just want to have something to chime in with, Rich. So here I am.. chiming in.

There’s a good chance if you’re hearing someone speak on how secure Macs are, you wouldn’t listen to them for 2 seconds regarding other IT issues.. matter-o-fact they are probably baristas or plumbers. Its not their bag baby! If you’re expecting something substantial to be uttered from sheep that can’t tell the difference between an RJ-45 and -11 you should expect more headaches.

I prefer to think of how cute their lil brains are.

@Xristopher- demanding anyone fix security issues is about as effective as the OWS movement. Apple became aware of the exploit and had a patch for it within a matter of 1-2 weeks. I’m a noob though so maybe this timeframe is unacceptable? The vulnerability may have been there for quite sometime but I know for certain I wasn’t witnessing symptoms on machines much longer than a week or so.

It seems like we want to blame someone.. lets blame the cybervillians.

By jenapeoples

Tue, April 10, 2012 2:54pm

I hear it all the time, too. And it’s not just asshats in social media. My dad was shopping for a new computer and said “I’m thinking of going Mac because I don’t want to worry about viruses.”

My experience is that it takes a savvy and technical-minded person to not believe that “myth”. Even if the source of the belief is only from “one unique ad” or from one pundit who has convinced them.

By Greg

Tue, April 10, 2012 2:50pm

I have used and helped others use Apple computers since 1985. I have never said that Apple computers are immune from viruses nor have I ever heard any other Mac user say so. I have said that I have never had a virus on any of my Apple computers nor have ever found a virus on the Apples of any of my clients.

I see the source of this misinformation is overzealous bloggers and one antivirus vender in particular.

Michael Murphy

By Michael Murphy

If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.

Contact

About

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.